Archive

Got trouble Connection PowerShell to SharePoint online? This could be the resolution to your troubles.
I had this myself, or we had it in our Company tenant. This is what the issue was and this is how I fixed it:

When trying to connect to PowerShell for SharePoint Online, using the Connect-SPOService command, we got a error that did not tell us anything.

The error is:Connect-SPOService : For security reasons DTD is prohibited in this document. To enable DTD processing set DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

Well, its almost a joke right…
When searching the web for information on this particular, I struck zero…all I could find related to the ISP and the default search provider something. I quickly dismissed them as unrelated.
Then after some time had passed, I found a similar issue, this seemed related and it was a connectivity issue same as mine (If I still had the link I would give credit to where credit is due). This fellow had resolved the issue by adding a missing DNS record.
This made me think, since our tenant has existed since way Before Office 365 existed (BPOS) perheps we were also missing some of the required DNS records?
I checked with my collegues, and apparently we were missing the record as well.

So, if you ever see or get the ‘DTD prohibited’ issue, remember to check the DNS for the following record:

Type: CNAMEAlias: MSOID
Target: clientconfig.microsoftonline-p.net
Info: Used by Office 365 to direct authentication to the correct identity platform More Information

After I added this to DNS, Connect-SPOService works just fine!

Microsoft’s official explaination on the DNS record:What’s the purpose of the additional Office 365 CNAME record?When you run a client application that works with Office 365 such as Lync, Outlook, Windows PowerShell or Microsoft Azure Active Directory Sync tool, your credentials must be authenticated. Office 365 uses a CNAME record to point to the correct authentication endpoint for your location, which ensures rapid authentication response times.If this CNAME record is missing for your domain, these applications will use a default authentication endpoint in the United States, which means authentication might be slower. If this CNAME record isn’t configured properly, for example, if you have a typo in the Points to address, these applications won’t be able to authenticate.

This time I will give you a Quick but great function to use if you are working with OneDrive for Business:

Function to resolve a users OneDrive for Business URL

‘

Simple solution, great to have, unbelievably efficient…

Ok, this is perhaps my shortest post ever…I’ll just explain real Quick.
OneDrive for Business gets it URL from the tenantname and the users UserPrincipalName. Creating this every time can be troublesome…
This is what I use, a function I created last summer when I was tired of doing them one at the time…

It works even with users that have a different domain in the UPN than what is the tenant name.
This is it:

If you have a single emaildomains in your oranization use the first one, if you have multiple emaildomains, use the second.
All you have to do is copy or retype the script to a Prompt/ps1 or ISE session, then run the script. You have the option to save some time by entering your account name in the script(see start)

Use this script if your organization only uses multiple domainnames as email domains. For example, if you use ‘contoso.com’, ‘microsoft.com’, northwindtraders.com’ as UPN names within your O365 tenant, then use this script. You will here be asked for the domain used in the O365 tenant address.

‘

Example 1

Like you can see, the list contains users with different emaildomains, contoso and northwind. THe submitted O365 orgname is however used to verify the OneDrive site, contoso.
In this example, the user test.user@contoso.com does not seem to have the OneDrive site provisioned.‘

‘

Example 2

Like you can see, the list contains users with only contoso as emaildomain.
In this example, the user test.user2@contoso.com does not seem to have the OneDrive site provisioned. Try to provision again/verify manuelly.‘

Provision OneDrive for Business using only PowerShell.

Get the people up there…into the Clouds…(Liseberg, Gothenburg, Sweden)

Time to roll out OneDrive for Business in the Enterprise? Or maybe you just want to implement OneDrive for Business in a controlled way, and you may not be a hardcore developer either.

If you want to do any kind of preparation before letting the users into their OneDrives, then you will need to have them created/provisioned first, after that you can go ahead and give yourself permission (separate blogpost) and migrate a users files (separate blogpost), preconfigure, brand, and so on.
I have in this guide tried to offer a way to provision the OneDrive for Business to your users in a way that do not require you to know C#, Visual Studio or any development at all, how does that sound? All you need to do is follow this guide to the letter, and you will be sucessfull.

The only way I have found so far to provision a users OneDrive for Business as a administrator is to use code developed by the Office AMS Community Project. This includes among other things, a great Visual Studio sample Project for provisioning users OneDrive for business, and this is really spot on. But…it is not that easy to get going, for a non-developer it may prove to be impossible.

I have used code developed in the samples but I will only use PowerShell to execute it. This is what will make it easy for others (such as you?) to use.
The Office AMS Project also includes the SharePoint client assemblies needed to do anything with SPO using CSOM, Client Side Object Model(Code executed on the client).

In order to get started provisioning your users OneDrive for Business sites(or we can just as well call them MySites, since this is wat they really are…), you just follow these steps:‘

Quickguide

Locate the Microsoft.sharepoint.client assembles in the unpacked Office App Model Samples folders, located in <unpack location>\Office App Model Samples v2.0\Assemblies\16\ Copy the files Microsoft.SharePoint.Client.dll, Microsoft.SharePoint.Client.UserProfiles.dll and Microsoft.SharePoint.Client.Runtime.dll and put them in a folder of your choice, I used C:\Temp\ in my sample. (You can also leave the files as is, but then you have to alter the PowerShell code to reference the path in the Office AMS folders)

In a PowerShell prompt/ISE running as admin, run the PowerShell script available below and‘HERE (Download as Word file), this will load the code needed to access SPO and start provisioning. (Verify and update if needed the $MyAssemblies line at the very bottom)

Execute the code in your PowerShell prompt/ISE running as admin (It has to be the same prompt/ISE used to execute the script), use this syntax: Syntax: [OneDriveforBusiness.Provision]::Execute(<SharePointAdminURL>,<GlobalTenantAdminAccount>,<AdminAccountPassword>,<ListofUsersEmailSeparatedbyCommas>)

The detailed Guide:

‘

1. Download

New!Download the latest version of SharePoint Server 2013 Client Components SDK x86 or x64. This SDK contains the dll’s needed.
During the install, the dll’s will be added to the following path:
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\

Download the latest version (Office App Model Samples 2.0 – July 2014 – Update 1) of the Office App Model Samples, the Project has been renamed to the more formal Office365 Developer Patterns & Practices but it is still the same. The last tested version is currently 2.0 found here: DOWNLOAD Office AMS

2. Get the assemblies

‘

Unpack the files to a location of choice. (The files will ironically enough not synch very well if stored in a OneDrive for Business synchronized folder – long path among other issues).
Locate the ‘assemblies\16’ folder, in this folder you will find the 3 files we need, Microsoft.SharePoint.Client.dll, Microsoft.SharePoint.Client.UserProfiles.dll and Microsoft.SharePoint.Client.Runtime.dll. Either you put these Three files in a better location, or you make a note of the path to the folder. Back to Menu‘

3. Run the script

‘

Start a PowerShell prompt/ISE running as administrator. This is where all the magic will happen. Copy the powershell script below, or download the scriptfile HERE (Word file), then add the script to the Prompt/ISE.
Before executing the script, you will need to alter one thing, the path to the assembly files. Update the line where we give a value to the $MyAssemblies to reflect where you have your SharePoint.client dll files. This is crucial since the code needs to be able to access these asseblies during execution.

4 Executing the provisioning code

‘

We have now loaded the code into memory (a .NET Framework class in your Windows PowerShell session), where it will be available just like if we had created a C# DLL and loaded it into the GAC. Remember though, the code is now static and connot be altered. If you need to make any Changes, have a look in the references section where I will show how to be able to alter the code after it has been loaded once.

Now, we have to call on the code laoded into memory, this is done from the same prompt/ISE used to load the code, the code only exists in that prompt session so it will not be available in any other prompt.

What you need to supply when running the code, is your SharePoint online admin address, a tenent admin account and password, plus a list of emailadresses to the users that will be provisioned with a OneDrive for Business.

Start by typing in this:

[OneDriveforBusiness.ProvisionOneDrive]::Execute

What this does is call the code we just loaded from PowerShell, The Namespace is OneDriveforBusiness, the Class is ProvisionOneDrive and finally, the void or function is Execute.

<SharePointAdminURL>: The Admin address is available if you go the the Admin/SharePoint administration web. This will be visible in the address field of your browser:

<GlobalTenantAdminAccount>: An account that is a global Office 365 Tenant Administrator.
The account must have this setting in Office 365 Admin Center/Users & Groups – User object:

<AdminAccountPassword>: The password of the <GlobalTenantAdminAccount>. This will be entered in cleartext, not the ideal security solution but this is the only way I could solve it.
(Suggestions on how to prompt for the password in a secure way is welcome!)

<ListofUsersEmailSeparatedbyCommas>: This is the users that will have provisioned with OneDrive for Business. A list of UPN’s (User Principal Name) separated by commas. The UPN must be the one registered in Office 365. The UPN is in the form of a emailadress, for example: user@domain.com. Enter the string using double quotes on both sides.

This is what the string should look like: “user1@donkeymind.com, user2@donkeymind.com, user3@donkeymind.com, user4@donkeymind.com, user5@donkeymind.com”

When you have all the values in order, type in the command with your parameters and execute the provisioning:

The limit for submitting users to be provisioned have been set by Microsoft to 200 at the time. This code do allow more but it will cause issues. Better to do them 200 at the time, wait unitl done and then do 200 more, alternatively, alter the code to include a check so that every user have been provisioned ok Before moving onto the next.

Now, you can execute the commend again and again. You can also use the code obviously for other tenants. Simple provide the commend with a different account, a different admin URL and you are good to go. Good luck! Back to Menu‘

Since you are using your admin account, you have access to the private part of the OneDrive/MySite.

Note: All the steps in this guide have been verified on a Windows 8.1 Update 1 machine, using PowerShell ISE and the Office AMS July 2014 Update 1. All tests have been done during August of 2014, the functionality of Office 365 may change over time and may thus cause this guide to fail. If this happens I will try to be alert and update the guide accordingly.

‘

Possible errors

‘

1. You need to alter the script, then run the script again?

You have two choices if this happens, you have loaded the code once and you need to edit it and run again. If you do this you may get the error message saying that the ‘Type has already been added’ or similar. If you get this, simply restart your PowerShell prompt/ISE, OR, Change the name of the public class:

Add for example a number after, so that the class is called: ProvisionOneDrive1, then 2 and so on.

2. Nothing happens, no OneDrive shows up?

Verify all your values, then execute the command again. Remember though, that the time it takes for a site to show up may vary and can take up to 5 minuter PER SITE. Wait a moment longer, try it again

If you have the wrong address when verifying, you will see either of these pages depending on the URL used:

Future and existing Office Web Apps – OWA Lovers!
😁
This time, I just found that a quick guide like this was something that I needed myself, and since I could not find anything that was short and compact enough, I made my own guide…
This Little guide is completely based on the TechNet articles mentioned in the references section, but this is nontheless a lot shorter and easier to follow.

2. Import the server module(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)Import-Module ServerManager

3. Add the required Features and Roles by running this command:Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

1. In a PowerShell prompt running as administrator, add the required Features and Roles by running this command:Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

2. Run Setup and walk through the steps in the wizard.
Windows Server 2012, open the .img file directly and run Setup.exe
Windows Server 2008 R2 SP1, use any program that can mount or extract .img files. Then run Setup.exe

If components of the .NET Framework 3.5 were installed and then removed, you might see “500 Web Service Exceptions” or “500.21 – Internal Server Error” messages when you run OfficeWebApps cmdlets. To fix this, run the following sample commands from an elevated command prompt to clean up settings that could prevent Office Web Apps Server from functioning correctly:
In Windows Server 2008 R2:%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru
iisreset /restart /noforceIn Windows Server 2012:dism /online /enable-feature /featurename:IIS-ASPNET45

<InternalURL> FQDN name of the server that runs Office Web Apps Server<ExternalURL> FQDN name that can be accessed on the Internet<CertificateName> Is the friendly name of the https/SSL certificate used-EditingEnabled, optional and is added to enable editing in Office Web Apps

2. Verify that the Office Web Apps Server farm was created successfully

Depending on the security settings of your web browser, you might see a message that prompts you to select Show all content before the contents of the discovery XML file are displayed.

3. Done

TechNet Reference–Back to menu––Configure SharePoint to use OWA over https (recommended)(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

The Web Application to be used must be configured to use Claims as authentication method, else OWA will not work.

1. Create new binding:New-SPWOPIBinding -ServerName <WacServerName>(<WacServerName> must be the FQDN internal URL)

2. Verify current zone:Get-SPWOPIZone

3. Change to internal-https if it is set to http:Set-SPWOPIZone –zone “internal-https

4. Verify https:Get-SPWOPIZone

5. Verify functionality in a document library (Not using the system account, appearing as sharepoint\system)
Click on the ‘Three dots’ after a documents name and see if you get a preview, if you do, its all good!

6. Done

TechNet Reference–Back to menu––Configure SharePoint to use OWA over http(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

The Web Application to be used must be configured to use Claims as authentication method, else OWA will not work.

1. Create new binding:New-SPWOPIBinding -ServerName -AllowHTTP
( must be the FQDN internal URL)

8. Verify functionality in a document library (Not using the system account, appearing as sharepoint\system)
Click on the ‘Three dots’ after a documents name and see if you get a preview, if you do, its all good!

9. Done

TechNet Reference–Back to menu––Disconnect SharePoint from OWA farm(In a PowerShell prompt running as administrator and with the SharePoint snapin loaded)

Mattias Gutke! All the time dude!Ankie D – a great customer who has forced me to learn more on OWAStefan K – Another customer who made me refresh my knowledgeSteve Peschka, he wrote the original guide…see ref section

Specifies the URL or GUID of the Web to be exported. The type must be either
– a valid GUID, in the form ‘12345678-90ab-cdef-1234-567890bcdefgh’
– a valid name of a SharePoint site (for example, MySPSite1)
or a URL: http://blog.blksthl.com
or an instance of a valid SPWeb object

Path

Required

Specifies the name of the export file. If the -NoFileCompression parameter is used, a directory must be specified; otherwise, any file format is valid.
Example: “c:\temp\exportedsite.cmp” or with the -NoFileCompression “c:\temp\exportedsite\”

AssignmentCollection

Optional

Manages objects for the purpose of proper disposal. Use of objects, such as SPWeb or SPSite, can use large amounts of memory and use of these objects in Windows PowerShell scripts requires proper memory management. Using the SPAssignment object, you can assign objects to a variable and dispose of the objects after they are needed to free up memory. When SPWeb, SPSite, or SPSiteAdministration objects are used, the objects are automatically disposed of if an assignment collection or the Global parameter is not used.

Note:

When the Global parameter is used, all objects are contained in the global store. If objects are not immediately used, or disposed of by using the Stop-SPAssignment command, an out-of-memory scenario can occur.

CompressionSize

Optional

Sets the maximum file size for the compressed export files. If the total size of the exported package is greater than this size, the exported package will be split into multiple files.

Confirm

Optional

Prompts you for confirmation before executing the command. For more information, type the following command: get-help about_commonparameters

Force

Optional

-Force Forcefully overwrites the export package if it already exists.The type must be either of the following values:
–True–FalseThe default value is False.

HaltOnError

Optional

Stops the export process when an error occurs.

HaltOnWarning

Optional

Stops the export process when a warning occurs.

IncludeUserSecurity

Optional

Preserves the user security settings except for SPLists that have broken inheritance and item level permissions set.
(Use Import-SPWeb with –IncludeUserSecurity to preserve security on import)

IncludeVersions

Optional

Indicates the type of file and list item version history to be included in the export operation. If the-IncludeVersions parameter is absent, the Export-SPWeb cmdlet by default uses a value of CurrentVersion. The type must be any one of the following versions:LastMajor “Last major version for files and list items (default)”CurrentVersion “The current version, either the last major version or the last minor version”LastMajorAndMinor “Last major and last minor version for files and list items”All “All versions for files and list items”

ItemUrl

Optional

Specifies the relative path to the object to be exported. Can also be a GUIDThe type must be a valid relative path, for example, /Subsite/Documents
or a valid GUID in the form: 12345678-90ab-cdef-1234-567890bcdefgh

NoFileCompression

Optional

Either enables or disables file compression in the export package. The export package is stored in the folder specified by the Path parameter or Identity parameter. We recommend that you use this parameter for performance reasons. If compression is enabled, the export process can increase by approximately 30 percent.

NoLogFile

Optional

Suppresses the generation of an export log file. If this parameter is not specified, the Export-SPWeb cmdlet will generate an export log file in the same location as the export package. The log file uses Unified Logging Service (ULS).It is recommended to use this parameter. However, for performance reasons, you might not want to generate a log file.

UseSqlSnapshot

Optional

Specifies a SQL Database Snapshot will be created when the export process begins, and all exported data will be retrieved directly from the database snapshot. This snapshot will be automatically deleted when export completes.

WhatIf

Optional

Displays a message that describes the effect of the command instead of executing the command. For more information, type the following command: get-help about_commonparameters

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:Using SSL for Central Administration with SharePoint 2013http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:Live Demonstration: Hacker Tools You Should Know and Worry Abouthttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator:Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…